It seems that every day there is news about a cyber-breach or data from a large retailer that has been compromised. There are ever more sophisticated cyber criminals and ever more tools and products to thwart attacks. However, as important as these new complex and elegant data security products are, data breaches can happen as a result of the least complex part of a technology asset’s lifecycle — its end. Careful attention to how you handle your IT assets’ disposal is just as important as the investment in the most sophisticated tools to protect them during their active life. We call it “The Other Firewall.” A firewall keeps bad people from getting in; the “other firewall” keeps sensitive information from getting out.
The Increasing Electronic Data Risk
These days, electronic data is the norm and cloud storage is second nature. However, the more electronic data is disseminated, the more difficult it is to contain, which creates a larger risk when talking about data destruction. According to the FBI, cybercrime is one of the fastest growing segments of crime in the United States. And, you can readily find best practices and methodologies used to help prevent cybercrime.
However, one thing that is commonly overlooked is the threat that’s posed by the electronic data that is stored on the myriad pieces of hardware that we use and replace every day. Between 70% and 80% of data breaches come from off-network equipment — equipment that has been decommissioned, misplaced, or stolen. Off-network devices can often contain proprietary internally developed software, network access information that could be used by hackers to identify network routing information and other passwords, confidential client information like social security numbers, patient information, personnel information, and trade secrets.
While the vast majority of corporate budgets are spent on protecting online assets, companies now need to think about how to handle decommissioning their devices to prevent sensitive electronic data from getting into the wrong hands. Before you engage in any methodology to remove and retire your IT assets, here are the top things you need to consider to ensure successful asset remediation.
Top Issue 1: Embedded Media
When decommissioning IT assets, many people focus on destroying the hard drive to protect their sensitive information. While it’s true that the data on your hard drive will be secured from proper hard drive destruction, more often than not, there lies embedded media deep inside your gear. Embedded media (sometime called embedded storage) refers to data that is stored locally in a specific part or component of a system, providing fast access to system as well as user data. From cell phones to copy machines and servers, more and more manufacturers are using embedded media to support the need for added intelligence in their devices. This media often contains not only system information but user-specific data such as IP addresses, user names, passwords, and much more. This information in the wrong hands can lead to big trouble for you and your company.
Top Issue 2: Documentation
Many organizations have compliance requirements such as SOX, PCI, GLB, and HIPAA impacting how they manage the decommissioning of IT assets. In addition, there is a fiduciary responsibility that reaches the board level to protect intellectual property, trade secrets, and client information to name just a few. This liability is not severed after the equipment leaves your possession.
Most businesses settle for basic certifications and limited documentation from their IT Asset Disposition Vendor. This is insufficient to prove responsible behavior, thus leaving you at risk. Make sure that your ITAD vendor can produce detailed reports that not only track material movement, but also the quality at every stage of the IT Asset Disposition process, creating forensic proof of data destruction. The report should be available at any time. This not only reduces your risk, but because it’s readily available, it also reduces time to resolution when questions come up regarding your gear.
Top Issue 3: Indemnification
Most companies ask for some type of indemnification from their IT Asset Disposition Provider and more often than not, this indemnification amounts to little more than a promise of protection. Here’s why. In order for the disposition provider’s insurance to be effective in protecting you as the client, it must have sufficient monetary limits and be written correctly to cover the incidents you’re most likely to experience.
We find that many companies fall short of proper indemnification and sometimes don’t even know the right questions to ask. For example, companies frequently ask for the disposition provider to carry errors and omissions insurance; however, this type of insurance will not necessarily cover cybercrime, which is much more common and usually requires cyber liability insurance for proper coverage. In other situations, the documentation provided by the disposition company is insufficient to trigger coverage and in some cases even when coverage is triggered, the disposition provider’s insurance protects them but not you. Indemnification is a complex subject and businesses are relatively inexperienced with respect to the nuances of IT asset disposition. The proper insurance is expensive and difficult to obtain, but lacking it creates an unnecessary risk that can be easily eliminated by working with the right IT asset disposition vendor.
Steps to Protect Electronic Data
Good security practices should remain in effect regardless of the fact that the device (system, component, server, etc.) has outlived its usefulness and is removed from the network. Although the risk are higher than ever before, there are tools and processes that, when properly executed, can reduce the risk of your data being exposed. Here are three simple steps companies can take to get started in the right direction:
- Conduct an IT assessment provided by an IT lifecycle management company. With this assessment you will learn where you are exposed and how to close the gaps
- Consult with an attorney experienced in data security and technology law to position your company as best as you can so you are prepared if something goes wrong
- Consult with an insurance provider who is experienced in cyber security to make sure you have adequate insurance to protect you and your company if you have to make a data breach claim. The insurance provider can give you guidance